Users of the Google Chrome browser are advised to install and activate the latest update as soon as possible.
Google has released security updates for Chrome to fix seven vulnerabilities, including a zero-day vulnerability that was actively exploited by attackers.
The vulnerability, identified as CVE-2023-6345, is a serious integer overflow bug in Skia, an open 2D graphics library. It was discovered by Benoit Sevens and Clement Lesigne of the Google Threat Analysis Group (TAG) on November 24, 2023.
Google has confirmed that an exploit exists for CVE-2023-6345, but does not disclose details about attacks or threats related to its use.
It is noted that in April 2023, Google already released a patch for a similar integer overflow vulnerability in Skia (CVE-2023-2136), which was also actively exploited. There is a possibility that CVE-2023-6345 may work around this patch.
CVE-2023-2136 allowed a remote attacker who compromised the rendering process to potentially escape from the sandbox through a specially created HTML page.
The company has patched seven zero-day vulnerabilities in Chrome since the beginning of the year, including:
Users are advised to upgrade to Chrome version 119.0.6045.199/.200 for Windows and 119.0.6045.199 for macOS and Linux to prevent potential threats. Users of Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to upgrade as soon as the corresponding updates become available.
Google has released security updates for Chrome to fix seven vulnerabilities, including a zero-day vulnerability that was actively exploited by attackers.
The vulnerability, identified as CVE-2023-6345, is a serious integer overflow bug in Skia, an open 2D graphics library. It was discovered by Benoit Sevens and Clement Lesigne of the Google Threat Analysis Group (TAG) on November 24, 2023.
Google has confirmed that an exploit exists for CVE-2023-6345, but does not disclose details about attacks or threats related to its use.
It is noted that in April 2023, Google already released a patch for a similar integer overflow vulnerability in Skia (CVE-2023-2136), which was also actively exploited. There is a possibility that CVE-2023-6345 may work around this patch.
CVE-2023-2136 allowed a remote attacker who compromised the rendering process to potentially escape from the sandbox through a specially created HTML page.
The company has patched seven zero-day vulnerabilities in Chrome since the beginning of the year, including:
- CVE-2023-2033 (CVSS score: 8.8) - type confusion in V8,
- CVE-2023-2136 (CVSS score: 9.6) - integer overflow in Skia,
- CVE-2023-3079 (CVSS score: 8.8) - type confusion in V8,
- CVE-2023-4762 (CVSS score: 8.8) - type confusion in V8,
- CVE-2023-4863 (CVSS score: 8.8) - Buffer overflow in WebP,
- CVE-2023-5217 (CVSS score: 8.8) - vp8 encoded buffer overflow in libvpx.
Users are advised to upgrade to Chrome version 119.0.6045.199/.200 for Windows and 119.0.6045.199 for macOS and Linux to prevent potential threats. Users of Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to upgrade as soon as the corresponding updates become available.
